Re: Two options
I think it's all part of the joys of legislating in a global environment.
1) Is almost certainly done by SIGINT types at places like Pine Gap. But that's also something hackers are doing all over the world. We want and expect our suppliers to have no exploits or vulnerabilities, and to quickly patch them when they're discovered. It's also where agencies have helped, eg the NSA famously suggested modifications to DES's S-boxes to strengthen it's security.
2) Is already done, eg the US and CALEA requirements. So the US has a lawful intercept mechanism. But Australia can't use that at their end, and it won't really help if the communication is encrypted. So back doors already exist, but might be country specific. Or would need to be globally implemented so there's a 'standard' lawful intercept provision.. But that could mean something that's exploited & risky.
I think legislation's working around this by defining CSPs because traditional intercepts aren't practical. So a telco won't know what you're posting on Facebook, but they're a CSP and do. Same with Apple and the iPhone test case. Apple probably could crack it, but they didn't, and that was a US challenge. If Australia asked the same thing, they've got less leverage because they can only legislate within their own jurisdiction. How LEA's communicate with CSPs is another one of those fun global challenges.
Biting the hand that feeds IT
